Microsoft and Google have had a vulnerable 2021, Atlas VPN declares

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,011
What you need to know
  • According to Atlas VPN, Microsoft and Google have had the most amount of vulnerabilities in tech during the first half of 2021.
  • Google rocked a whopping 547 total vulnerabilities, putting it as the pack leader of exposed companies.
  • Microsoft came in second with a still-noteworthy 432 vulnerabilities thanks to situations such as this year's Exchange server chaos.
If you thought all those stories earlier this year regarding Microsoft's various earth-shattering product vulnerabilities weren't going to net it some sort of award by the end of 2021, you thought wrong: Microsoft has officially scored Atlas VPN's silver medal for the most recorded vulnerabilities in the first half of 2021, topped only by gold medalist Google.

You can check out Atlas VPN's post for all the nitty-gritty details on who landed where outside of the podium placements (spoiler: Apple only managed eighth place with an embarrassing 67 vulnerabilities, not even getting close to Microsoft), but we're going to focus on the big winners of the awkward race: Google and Microsoft.

Google came out on top with 547 noted vulnerabilities in the first half of 2021, which Atlas reminds us directly endangers the over three billion Chrome users out there. And, though typically not one to be outdone, Microsoft has only managed a distant second to Google this time around, racking up 432 instances of unwanted exposure. The strong 432 figure was made possible in part by the Microsoft Exchange chaos that gobbled up most of early 2021's news cycle.

Microsoft has made it clear that it's not a fan of being vulnerable and even has various bounties active for those who want to make a buck quashing blindspots for Redmond. It appears more resources will be needed to keep itself off future Atlas VPN lists.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,161
The number of vulnerabilities can be misguiding. The same would be with COVID in two countries with the same number of citizens. In one country there were 50000 COVID tests in one day and 1000 were positive. In the second country, there were 5000 tests on the same day and 100 were positive. And guess, which country was more vulnerable to COVID?

When we think about users' security, one should probably skip vulnerabilities discovered via the Bug bounty program (many vulnerabilities). Also, the time required to publish patches is very important. Another factor can be the prevalence of 0-day exploits and their impact on Enterprises compared to home users. The next one can be related to security layers.

So, when we take for example the home users of Windows 10 (with Defender) and Linux (no AV) I am not sure which one can be more impacted by the exploit + payload attacks.:unsure:
 
Last edited:

show-Zi

Level 31
Verified
Jan 28, 2018
1,993
You should pay more attention to vulnerabilities that are not counted because they have not been discovered, rather than the number of vulnerabilities found.
I think you can think of the number of vulnerabilities found as a result of battle.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,161
You should pay more attention to vulnerabilities that are not counted because they have not been discovered, rather than the number of vulnerabilities found.
I think you can think of the number of vulnerabilities found as a result of battle.
Many vulnerabilities show weaknesses in the OS design like (UAC and User/Kernel boundary in Windows). I think, that the number of vulnerabilities is less important for security compared to such weaknesses that were successfully bypassed for many years.
Generally, the more popular OS the less secure it is. The popular OS is prevalent, cheap, and usable. This has a negative impact on security. Such OS develops pressure on criminals and hackers that increases their efforts to bypass the security for profit.
 
Last edited:

show-Zi

Level 31
Verified
Jan 28, 2018
1,993
This is my theory.
'Convenience and comfort are proportional to the incidence of unstable problems such as vulnerabilities.'

Microsoft and Google are companies that improve convenience and comfort to acquire new users while retaining existing users. I take it for granted that vulnerabilities exist. If the basis of security is how to deal with such weaknesses, it can be said that the discovery of a vulnerability is the first step toward countermeasures.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,161
'Convenience and comfort are proportional to the incidence of unstable problems such as vulnerabilities.'

But, if the OS/software is not popular then these vulnerabilities are rarely exploited in the wild.

... it can be said that the discovery of a vulnerability is the first step toward countermeasures.
Yes. But, if the discovery is not published then the software (hardware) vendors often ignore the problem for months/years. Such examples can be found in the bug bounty program.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,161
Public disclosure of exploit code (even partial) before patching is unethical. The practice has resulted in numerous successful attack campaigns.
Yes, it is often unethical. But, the same can be said about the practice of ignoring the vulnerabilities by vendors. There can be a compromise between both - the researcher who discovered the vulnerability can give the vendor some time (a month or more) to publish the patch.

Sometimes the situation is more complex because the vulnerability can be exploited in the wild before public disclosure. A good example is CVE-2021-40444 MSHTML vulnerability:

Figure5-Exploitation-attempts.png


The chart shows the exploitation attempts - most of them were detected/blocked by Defender after 8-Sep.
This vulnerability was exploited in the wild for three weeks before publishing it by independent researchers.
I think that in this case, the public disclosure did not cause any negative or positive effects. After three weeks from the first occurrence, Defender could already detect/block most malware based on this vulnerability.
Also, Microsoft understood well how dangerous could be this vulnerability and did not ignore it.
 
Last edited:
Top